It’s just another aspect of burgeoning risk that hits senior executives directly. While you can’t control if you get attacked, you can control your organisation’s readiness to respond and weather the storm.

At no point is an organisation ever perfectly protected. It’s a legitimate business decision, however, to choose to accept a reasonable amount of risk.

You don't have to be the most protected organisation on the planet. Indeed, if you choose to push endlessly towards reducing risk, there’s a law of diminishing returns.

Continuously driving to eliminate risk will eventually have a negative impact on your business by harming efficiency, lowering customer satisfaction or [pick a negative impact].

For anyone on the board who doesn’t believe this, please hand in your smart phones and tablets because they aren’t safe!

CEOs need to reset their approach to risk and security, otherwise they risk getting fired. The purpose of the security program is to create a balance between the need to protect and the need to run the business.

Gartner has identified seven reasons why more CEOs will be fired over cyber security breaches, and ways to hold onto your job.

Accountability today means “who do we fire when something goes wrong.” Organisations need good accountability to be successful. If being accountable means you get fired, no one will engage. The reality is that more CEOs will be "held accountable."

In the future, you’ll look back and judge the defensibility of the decisions that were made before the incident. Were you spending the right money on the right things? Are you defensible to your key stakeholders?

Without good risk engagement there’s no accountability – "I just did what the security people told me to do." Sell your executives on defensibility of decisions, not protection.

Strong accountability models, in which risks rest with those that have the authority to address them, ensure that systemic security problems are not allowed to fester.

2. The cultural disconnect

There’s no such thing as perfect protection. Many boards will lead you to believe they understand this, but they don’t. They still think this is a technical problem handled by technical people, buried in IT. They believe this problem can be solved.

What happens if you tell an executive you have a patching problem? They say: "well, why don't you fix it!" Reporting levels of patch readiness to executives only tells them that you’re doing your job.

“I trusted the security people to get this right” will lead more executives to getting fired. By hiring the right people with the right technical knowledge, you can lessen the chance of being attacked and stay out of the headlines.

3. The server that never got patched

While there may be a legitimate business reason, many organisations have a handful of servers that never get patched. The problem is that no conscious business decision is made. It could be a business unit executive making the call, which never gets recorded or reported.

Invisible, systemic residual risk is everywhere. Conscious decisions need to be made regarding what an organisation will do, but more importantly, what it won’t do to protect itself.

Security staff are hired because they’re experts and their job is to protect the organisation. This silos the issue, placing people in charge of protecting business outcomes they don’t understand.

5. Throw money at the problem

You can't buy your way out — you still won't be perfectly protected. Organisations that have doubled their security budget are starting to build unsustainable solutions. Lack of consideration for ongoing operational costs is a common problem.

Blaming an organisation for getting hacked is like blaming a bank for getting robbed. The difference is that the banks are defensible — most organisations aren’t. This isn't fair, but sometimes people just want heads to roll.

Mayors don't get fired because a fire burns a section of town; they get fired for lacking the investment in readiness to deal with a blaze that got out of control.

Related Whitepapers

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.